House members seek stronger health care data breach notifications
The House Committee on Energy and Commerce is voicing concern over a controversial provision in a recently passed health care breach notification bill that gives health care companies considerable discretion on whether to disclose a data breach.
The so-called "harm threshold" provision was included in an interim final rule published late last month by the U.S. Department of Health and Human Services (HHS) in a bill requiring breach notification for unsecured health information. Under the provision, health-care entities would have to publicly disclose data compromises only if they think the breach will cause financial harm to those whose data was compromised or hurt their reputation.
In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the "soonest appropriate opportunity."
The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress' intent in passing the breach notification bill. The bill's statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the "breadth of discretion" it would have given a breached entity, the letter said.
The health-care breach notification law is part of the $20 billion Health Information Technology for Economic and Clinical Health Act (HITECH) that was passed by Congress earlier this year as part of President Obama's economic stimulus plan. The law, which went into effect last week, requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Companies that use encryption and data destruction methodologies to render sensitive health information unusable and unreadable to unauthorized individuals are exempt.
Privacy and civil rights groups claimed that the HHS had essentially neutered the breach notification bill with its harm threshold requirement. They also accused the department of caving in to industry pressure. Groups such as Patient Privacy Rights, a watchdog group in Texas, and the Washington-based Center for Democracy and Technology said the provision completely undermined the intent of the bill and removed any incentive for breached entities to disclose a data compromise.
Computerworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Security
Powered by TwitterOn Twitter now
Security
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
